International transfers of personal data are instantaneous and constant. Everyday business functions such as uploading data files to the cloud or sending emails potentially involve transferring personal data across international borders. This is particularly relevant in today’s global economy where business functions are often outsourced overseas for operational and cost efficiencies. Our previous blog on this topic confirmed that, following Brexit, the UK will be a ‘third country’ for the purposes of international transfers of data under the GDPR, which could have serious implications on the practicalities of legally transferring personal data from the EU to the UK. This blog updates the position and examines the possible outcomes of the on-going Brexit negotiations on the transfer of personal data from the EU to the UK.
On 14 November 2018, the UK government published a draft withdrawal agreement (governing the terms of the UK’s departure from the EU), Article 71(1) of which anticipates a transition period for the continued application of EU data protection law (i.e. the GDPR) for the processing of the personal data of individuals resident outside the UK, provided that the personal data: (a) was processed under EU law in the UK before the end of the transition period; or (b) is processed in the UK after the end of the transition period on the basis of the withdrawal agreement. However, the continued application of EU data protection law merely affirms the current position that personal data may only be transferred to third countries (such as the UK after Brexit) if the European Commission (the “Commission”) has provided that country with an adequacy decision or, in the absence of an adequacy decision, either certain safeguards are adopted in relation to the transfer or a specific derogation can be relied upon (see our previous blog for more details).
Fortunately, according to Article 71(2), the transitional arrangements referred to above will fall away if the Commission makes an adequacy decision essentially affirming that the UK’s processing of personal data provides a satisfactory level of protection to EU-based individuals. This would mean there is no need for reliance on safeguards or derogations in order for personal data to be transferred from the EU to the UK, which will result in minimal disruption to business continuity. However, it’s worth noting that adoption of the draft withdrawal agreement by the UK Parliament and EU leaders does not guarantee the provision of an adequacy decision for the UK, although it would seem to be in all parties’ interests for the Commission to implement an adequacy decision in the event of the UK and the EU striking a Brexit deal.
Even if the UK receives an adequacy decision, the draft withdrawal agreement reminds us that it is not permanent and could be repealed by the EU after one of its periodic reviews of the UK’s data protection laws post-Brexit. If an adequacy decision ceased to apply for any reason then Article 71(3) requires the UK to “ensure a level of protection of personal data essentially equivalent to that under EU law…” Onerous as this may seem, it is not a commitment for the UK to maintain and apply the GDPR (which is currently incorporated into domestic law, irrespective of Brexit, by the Data Protection Act 2018), rather we will have some discretion as to how we implement data protection law albeit curtailed to some extent by the withdrawal agreement. However, irrespective of how we tinker with our domestic data protection law, the absence of an adequacy decision for the UK means reliance on safeguards or derogations in order for personal data to be transferred from the EU to the UK which, as you will note below, is as good as having no deal in place!
On 25 November 2018, a summit of EU leaders unanimously approved the terms of the draft withdrawal agreement. However, if the UK Parliament fails to approve the draft withdrawal agreement, resulting in a no deal Brexit, the Commission has expressly stated that the adoption of an adequacy decision is not part of its contingency planning. EU member states do not have the power to unilaterally grant adequacy decisions to third countries as approval from representatives of all EU member states is required. This effectively rules out the possibility of the UK concluding bilateral agreements with member states on the international transfer of personal data where EU law applies.
A no deal Brexit therefore suggests an extended period of reliance on the safeguards and derogations referred to above in order to legally transfer personal data from the EU to the UK. As you will note from our previous blog, reliance on these measures to govern all transfers of personal data from the EU to the UK is likely to be cumbersome in practice, partly given the rigid nature of the Standard Contractual Clauses (SCCs) (in so far as they must be adopted entirely and without amendment to their legal effect) and the magnitude of the task presented by establishing legally sound Binding Corporate Rules from a time and resource perspective. Also noteworthy is that the validity of SCCs is under consideration by the European Court of Justice as questions have arisen over whether they satisfy the standards of care required by the more recent GDPR.
What you can do now
It’s currently unclear as to whether the UK Parliament will approve the draft withdrawal agreement (and early signs are certainly not positive) and, even if it is approved, we will need to wait and see if the UK will receive an adequacy decision during the transitional period of Brexit. The only certainty we have at this point is that a no deal Brexit means reliance on the safeguards and derogations in order to legally transfer personal data from the EU to the UK. If your business is reliant upon such data transfers from the EU, it would be advisable to consider putting in place contingency plans for a no deal Brexit by preparing for the use of appropriate safeguards and/or derogations.